Thoughts of a Primary School Tech

Wednesday, 22 October 2014

If you have ever needed to shut down a server but it wants to install updates which you know will take longer than your service window you can use the following command to prevent the issue until you reboot.

Friday, 3 October 2014

This issue makes me laugh, you have skype and you attempt to login and even though your login credentials are perfect, it says "Sign-In Details not recognized". Even though you are on full unfiltered broadband, yet weirdly enough it might be working on another computer.

Now you probably Googled it and all the forums say "Download the Latest Version", I despise resolutions like that because even though sometimes it works, it doesn't solve the issue for those that do have the latest version, oh and since when do older versions just stop working?

Unless it's been announced that you have to upgrade, you don't have to do anything you don't want to.

This is a resolution with the latest or an older version.

Usually, this is caused by a corruption/break in one of three locations.

Now when you just uninstalled and re-installed you will probably find that Skype still has a problem. That is because Microsoft are lazy and leave crap behind and the Skype uninstaller leaves these folders on your hard drive.

So when you re-install, shock and behold it still uses the same corrupt files to run.

When you upgrade, you sometimes find that these folders are replaced or updated, thus removing the corruption. The upgrade doesn't spot and fix the corruption it just replaces files and folders that might or might not of been corrupt. This is why the upgrade sometimes fixes it, though depends on the update and what the update actually replaces.

Reinstall Skype, ideally the latest version since you are doing an install anyway, but it doesn't matter.

Once installed, try to login again. Shock and Horror its working.

Other Stupid ResolutionsInternet Explorer

Another resolution (apparently) is install the latest version of IE. Just go away and stop blaming IE for everything, yes its full of bugs and yes everyone who has an IQ higher than 4 uses something else, but it isn't a thing to point the finger at when you quite simply don't know the real reason.

Windows Firewall
No. It worked before, it should still work. Software developers don't just go one day, hey shall we use different ports this time round.

Proxy Incorrect
No. It worked before, it should still work. Again Software developers don't just decide screw it lets completely revolutionize the way we connect through a proxy and not tell anyone about it.

Downgrade
You need to be shot. Unless there is genuinely a bug that Skype themselves acknowledge, there is no reason to downgrade.

Tuesday, 29 July 2014

Recycle Bins and Redirection

The Recycling Bin found on your desktop opens up a window and within that window you have all the items that you have deleted, either accidentally or deliberately.

What you might not know is that every redirected folder has its own recycling bin. If you have 10 redirected folders you have 10 additional recycling bins, all with their own settings and storage capacities.

You also always have your local recycling bin for every drive. So if you have a C:\ and D:\ drive, you have a recycling bin for both the C:\ and D:\ Drives.

10 Redirected folders + 2 Drives = 12 individual recycling bins.

If you have redirected the music, video and pictures to follow the my documents, you have -3 recycling bins because the music, video and pictures will use the my documents recycling bin. Just to add to that annoyance.

So when you open the recycling bin from the desktop, you are basically taking all x amount of recycling bins (in our example 12) and viewing them all in one place with no indication of which recycling bin the files exist in.

Below is an example where I have made Pictures and Music have their own redirection and "Videos" follows the Documents folder.

So even though I have one view, the files are actually stored in a completely different locations.

Locations

So lets say you map a drive the P:\ drive to the client. This P:\ drive is their personal drive. This drive is a unc path of:

\\file-server-01\studentsdrives\%username%\documents.

The Recycling Bin will be found by adding $recycle.bin to the end of that unc path.

Following from my example above I see:

Notice now in my "Documents" recycling bin I have lost the Music and Pictures files. This is because they reside in a different recycling bin:

\\file-server-01\studentsdrives\%username%\Music\$Recycle.Bin

\\file-server-01\studentsdrives\%username%\Pictures\$Recycle.bin

So what does this mean for me?

You are an IT Admin and you damn well know people store stuff in their recycling bin and don't delete it. Now if they do this, then you could have large files that are pending deletion sitting on your server as every redirected folder has their own recycling bins.

I found that a student.. copied a DVD to his "My Videos" file (3.2GB), watched the DVD and then deleted the file. To him, the file was deleted. To the Server, it was still there in his Recycling Bin. Even though the My Documents Recycling bin was limited in size, his My Videos Recycling bin has its own size limit and as a result he ended up with a total of 11GB of deleted files when we calculated the combined total of his recycling bin.

That was one student.. . In high schools with over 1k in student numbers, this is a massive drain on server resources, naturally it justifies the nice new SAN system you want, but schools don't have much money anymore, they never did to begin with and it is just getting worse.

So how to I manage it?

Well this is the tricky bit now, because there is no pre-set GPO to deal with this.

The easiest way is to use File/Folder Quota Management. Each recycling bin is set to use a percentage of the allocated size of the allowed disk, but this depends on your folder structures and redirection as you can say your personal folders are only allowed 10GB but your profile folders might be in a different location and you need to then set quotas for those as well.

Customized GPO

I took the liberty to create a GPO that will enable you to disable and/or specify sizes for each individual redirected folder recycling bin.

I have tested this with Windows 7 and have confirmed the settings for higher versions.

You can completely disable the redirected folder recycling bin (above)

Or you can specify the size of each redirected folder's recycle bin.

If you right click on your recycling bin on your client computer, you will find where these settings will apply:

For each recycling bin you either set it so it doesn't move the files to the recycling bin and just deletes them with immediate effect or alternatively you can set the size in MB within the policy.

For example, I have had my Pictures, Videos and Music to follow the documents folder, I have set, using my GP Objects to limit the documents recycle bin to 3GB and have disabled every other recycling bin.

If they deleted an item from their downloads folder by accident, I can recover it anyway using shadow copy.

This is how I solved it and if anyone else if having these issues, buy all means try my policies. The alternative way is to manually alter the registry for each redirected folder, but that made up about 12 preferences which I could do without. Looks messy.

Wednesday, 16 July 2014

I have recently been working with a school who have signed up to Microsoft’s OVS-ES service, as a part of this they are entitled to apply for Student Advantage licenses which will allow pupils to download and install an up to date version of Office on up to 5 devices at home. In order to access this feature the school need to sign up for an Office 365 account and to use the A2 (Free) service.
Administrators can apply licenses to staff and pupils through a website, however this only allows you to modify a limited number of users at a time but Microsoft have been generous and provided a means of automating some of these processes using PowerShell.
In order to accomplish this you will require the Windows Azure Components installed on your computer, once these are installed you will be able to use PowerShell to connect and work with your Office 365 service.
The script below is an example of PowerShell code which will allow you to apply a license to users within a certain department (AD Attribute), once this license has been applied any restrictions you wish on the services within the license are added.
This script could be amended to work with Pupil users by editing the License used and the Department searched for, however the script is very basic and will not take into account any users who may have conflicting entries to those you set, I have not tested this scenario.
I will follow up on this basic post with a more comprehensive one which will allow you to pick the department and license you wish to apply based on basic text menu’s presented in the shell but for now this will give you something to be going on with.

1################################################################################### 2# Marc Hundley 3# 4# Version 0.1 5# 6# 16/07/2014 7# 8# Purpose : Allocating with restrictions access for Staff to the O365 tools online 9###################################################################################10#11# Requirements12# ------------13#14# Windows Azure Components15# Office 365 online account16#17######18#19# Suitable amount of licenses to allocate to staff20#21######22#23# Knowledge of TENANT_ID - can be obtained by using the following commands :24#25# import-module MSOnline26# $msolcred = Get-Credential27# Connect-MsolService -Credential $msolcred28# $licenses = Get-MsolAccountSku29# $licenses30#31# This will give you all of the available licenses, the TENANT_ID will be the 32# common factor before the :33#34######35#36# Edit the -DisabledPlans entry depending on the needs of the customer, these 37# can be obtained with the command :38#39# import-module MSOnline40# $msolcred = Get-Credential41# Connect-MsolService -Credential $msolcred42# $licenses = Get-MsolAccountSku43# $licenses[x].ServiceStatus44#45# Where [x] is the license you wish to view (array starting at 0)46#47# Options for the STANDARDWOFFPACK_FACULTY are as follows48#49# YAMMER_EDU50# SHAREPOINTWAC_EDU51# MCOSTANDARD52# SHAREPOINTSTANDARD_EDU53# EXCHANGE_S_STANDARD54#55######56#57# Staff members are to be members of the Staff department in Active Directory58# which has synchronised with Office 36559#60###################################################################################6162#Import O365 Azure module63import-module MSOnline64#Clear Screen65cls6667#Connect to Office 365 with admin credentials68$msolcred= Get-Credential69Connect-MsolService -Credential $msolcred7071#get users72$users= Get-MsolUser -Department "Staff"-MaxResults 25007374#Assign faculty pack exclusions to variable (edit disabledplans as needed by customer)75$myO365Sku= New-MsolLicenseOptions -AccountSkuId <TENANT_ID>:STANDARDWOFFPACK_FACULTY -DisabledPlans EXCHANGE_S_STANDARD7677#Assign components for each user78foreach ($userin$users) {79$username=$user.UserPrincipalName80 write-Host "Assigning License for "$username81#Add Overall license (required before setting restrictions)82 Set-MsolUserLicense -UserPrincipalName $username-AddLicenses <TENANT_ID>:STANDARDWOFFPACK_FACULTY83#Assign exclusions84 Set-MsolUserLicense -UserPrincipalName $username-LicenseOptions $myO365Sku85}

Thursday, 3 July 2014

Annoyingly when you add certain drivers to a Mac, the default may say 1-sided but the pages still print as 2-sided. This can cause much frustration and although you can create presets, there is no way to actually change the default through those settings. However by following these few steps you can change the default settings. Please bear in mind, this only changes the default on the computer you are working on. If you have a Mac Server where the printer sits, then run these steps on that and it should set it all as default:

Annoyingly again on 10.9, access to the CUPS page is blocked, it is almost like Apple don't want to change anything these days. To
enable it, open Terminal (Go to spotlight and search for it) and type
"sudo cupsctl WebInterface=yes" (without the quotation marks). You
will need to enter the admin password when prompted.

Open a browser and in the address bar enter “localhost:631”

With the CUPS web page open, select the Printers tab and the printer you want to edit. In this case I select the Konica.

Then on the drop down menu titled “Administration” , change to "Set Default Options".

This will show a new page with some new headings (links).

In this case select Finishing Options. Scroll down the list until you see Print type. Change it from 2 Sided to 1 Sided.

Then scroll down the page until you see the Set Default Options button.

Click on this button to save the change. You will then be prompted to authenticate to CUPS.

Enter the account name and password of the Mac user, it needs to be an admin account. And then press the Log In button. You should then get a confirmation.

Friday, 27 June 2014

Incorrect setup, errors and old records can significantly affect performance and since a lot of third party applications such as antiviruses, remote support use it, as well as all windows server roles and system center products it is fairly important.

If DNS fails, everything else will. Trust me, trust all IT Admins, when it goes down, brown trousers are a guarantee.

Multiple ISPs, I know for one Ja.net, do offer backup name servers and automatic fail-over, so in the event that your DNS does fail, at least you know you have an offsite copy somewhere. Janet DNS Services

Is there something wrong with mine?

Now if you work in a single establishment and have performed multiple migrations of your network, I can guarantee (since you are reading this) you probably looked at your DNS and realise.. wait there are machines in here which haven't existed for years.. why haven't they gone. Scavenging is set.

This also applies for new networks as well which have been going for a couple years or so. It doesn't take long for a network to get quite dirty.

You gotta love GUI...not. This is why we should all be on Core editions people! If you are a Doctor Who fan, you know the Doctor Lies, a GUI lies to.

Yes you have a tick box and yes you've specified the day to scavenge records, but have you also noticed that when you scavenge manually.. they still stay there.. now isn't that just weird.

Is there something wrong with your DNS, well no, because your network is working, but yes because it isn't working as well as it could be.

Lets Tidy Up.Active Directory Domain Services
First and foremost since you are doing all this cleaning, it might be worth just re-looking at your Active Directory.

At my college, yes I have a accurate asset register, but there is that part of me thinking, is it possible that this random computer is still being used by someone. Why is it in AD if it isnt?

If unsure, disable it and wait for the phone to ring, enabling it takes all of 5 seconds to fix the issue. Cleaning up AD can make your life so much easier as when running through the DNS records you can then say, hand on heart, that machine shouldn't be in there, it doesn't exist anymore.

After a set period of time (48hours to 2 weeks), if you can say well no one has called and all staff full time and part time have been in since then, then you can delete it properly from Active Directory. I genuinely disabled about 40 machines when I first started here. How else am I going to find out? People are quick to report issues when they can't login, plus makes you feel in control, they need to be reminded of this. :)

DNS

Now you can say AD is up to date and accurate, lets start sorting out DNS.

You will need to perform the following actions on every DNS server in your organisation, don't listen to the myths of it replicating, thats Microsoft pretending that everything is perfect. When it comes to settings, just pretend nothing like that works and manually check. Sometimes it does replicate and i'm sure the settings do after X amount of time, but I haven't got time to sit with fingers crossed.

Saying that, there is a moment, where you just need to wait, some things cannot be rushed.. Trust me on this.

Regardless if you use RSAT or login to your server remotely/directly, you need to open DNS (shock)

Add in ALL your DNS Servers, so you can just do it all from one place.

Right click your first server and choose Set Aging/Scavenging for All Zones.

On the Menu, choose the tick box and set a time for your scavenging, best practice is 7 days. For a school I like 5. (I did this on a Monday, so now mine refreshes the weekend).

Press Ok.

Right click the server again and choose properties.

On the Advanced Tab, ensure "Enable automatic Scavenging of Stale Records" is ticked and you specify the identical number of days you specified above.

*this is not best best practice and in a very large enterprise environment, you wouldn't set these times all the same (hence why it isn't set from the top level). In a school single forest, single site, hell even a double site, this is not going to cause any problems. University level, maybe you need to plan this out a bit more, but at that level frankly if your technicians and administrators have a bad DNS then what the hell are you doing.

Press Ok to the Aging and press ok to the properties menu.

If you have a second DNS Server then do all the process again for your second one.

If you have more than 2 DNS Servers however, do the complete opposite. Turn OFF DNS scavenging in every menu specified above. In this case it is best to have one server handling all the scavenging.

You will notice that once you have typed in what you need to the list of scavenging servers is now setup successfully. You might have 2 in the list, or just 1 depending on your setup.

The waiting game begins.

Patience
This will take several weeks to finally sort itself out. The reason being is that machines that joined before you set this all up are setup on a different timestamps to what you specified as well as other things as well and other than manually deleting them, just hold fire and wait.

After a few weeks you'll begin to notice that your scavenging is actually working now. No odd devices are appearing in your DNS.

Roles such as WSUS will begin to actually clean itself up when you click clean, things like system center client deployments will work much faster. Antivirus logs become more accurate, server resolution is significantly quicker and the clients will begin to notice some speed improvements, though they won't ever say anything. Login times usually improve as well and you'll probably find that group policies that are set but haven't applied correctly start to apply oh and DFS begins to love you again.

I hope this blog has helped out a lot of people out there, I know my life became so much easier once I got the DNS stuff out the way. My DNS is neat, my AD is neat and there is no sign of old devices from previous migrations. Ready for the future.